<html>
<head><meta charset="utf-8"><title>leveraging oss-fuzz #39916 · t-compiler · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/index.html">t-compiler</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html">leveraging oss-fuzz #39916</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="182096516"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182096516" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182096516">(Nov 28 2019 at 10:11)</a>:</h4>
<p>hi <span class="user-mention" data-user-id="247084">@Siavosh Zarrasvand</span> , lets discuss fuzzing ideas here</p>



<a name="182096596"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182096596" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182096596">(Nov 28 2019 at 10:12)</a>:</h4>
<p>(for now I'm using issue <a href="https://github.com/rust-lang/rust/issues/39916" target="_blank" title="https://github.com/rust-lang/rust/issues/39916">#39916</a> as an anchor, just because I like to put <em>some</em> issue into each topic when I can. But its possible we will eventually want to spawn off a separate issue dedicated solely to OSS-Fuzz itself. Issue <a href="https://github.com/rust-lang/rust/issues/39916" target="_blank" title="https://github.com/rust-lang/rust/issues/39916">#39916</a> is a bit broader, dare I say "fuzzier" in scope.)</p>



<a name="182096628"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182096628" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182096628">(Nov 28 2019 at 10:13)</a>:</h4>
<p>I suspect first steps would be to do a survey of what we already have implemented in <a href="https://github.com/rust-fuzz" target="_blank" title="https://github.com/rust-fuzz">https://github.com/rust-fuzz</a></p>



<a name="182096691"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182096691" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182096691">(Nov 28 2019 at 10:14)</a>:</h4>
<p>also, it seems this group has a dedicated irc channel (<code>#rust-fuzz</code> on <a href="http://irc.mozilla.org" target="_blank" title="http://irc.mozilla.org">irc.mozilla.org</a>). I wonder if they can be convinced to come to zulip as well.</p>



<a name="182096945"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182096945" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182096945">(Nov 28 2019 at 10:18)</a>:</h4>
<p>now, to be fair, I think the stuff in <a href="https://github.com/rust-fuzz" target="_blank" title="https://github.com/rust-fuzz">https://github.com/rust-fuzz</a> is dedicated to fuzzing projects implemented in Rust. While my own personal interest is in specifically fuzzing the <code>rustc</code> compiler</p>



<a name="182109913"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182109913" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182109913">(Nov 28 2019 at 13:49)</a>:</h4>
<p>EDIT: I wrote this before I saw what you written. I agree. <span class="user-mention" data-user-id="116083">@pnkfelix</span> </p>
<p><span class="user-mention" data-user-id="116083">@pnkfelix</span> Initially, it seems to me we need to identify two things. </p>
<ol>
<li>What tools we are going to use</li>
<li>What we're going to fuzz</li>
</ol>
<p>OSS-Fuzz supports libfuzzer and American Fuzzy Lop (AFL), the tests would need to be written in those frameworks. If they are not, there is a chance Google would not accept the submission to be run on their servers, but of course, we can try to speak to them if we choose not to use them.</p>
<p>libfuzzer: <a href="http://llvm.org/docs/LibFuzzer.html" target="_blank" title="http://llvm.org/docs/LibFuzzer.html">http://llvm.org/docs/LibFuzzer.html</a><br>
AFL: <a href="http://lcamtuf.coredump.cx/afl/" target="_blank" title="http://lcamtuf.coredump.cx/afl/">http://lcamtuf.coredump.cx/afl/</a></p>
<p>There is one QuickCheck like crate for Rust: <a href="https://docs.rs/quickcheck/0.9.0/quickcheck/" target="_blank" title="https://docs.rs/quickcheck/0.9.0/quickcheck/">https://docs.rs/quickcheck/0.9.0/quickcheck/</a><br>
QuickCheck: <a href="http://hackage.haskell.org/package/QuickCheck" target="_blank" title="http://hackage.haskell.org/package/QuickCheck">http://hackage.haskell.org/package/QuickCheck</a></p>
<p>Two articles on Fuzzing vs QuickCheck/Property testing: </p>
<p><a href="https://danluu.com/testing/" target="_blank" title="https://danluu.com/testing/">https://danluu.com/testing/</a><br>
<a href="https://medium.com/@oherrala/quickcheck-or-fuzzing-which-one-to-use-98d200e9609b" target="_blank" title="https://medium.com/@oherrala/quickcheck-or-fuzzing-which-one-to-use-98d200e9609b">https://medium.com/@oherrala/quickcheck-or-fuzzing-which-one-to-use-98d200e9609b</a></p>



<a name="182109985"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182109985" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182109985">(Nov 28 2019 at 13:50)</a>:</h4>
<blockquote>
<p>now, to be fair, I think the stuff in <a href="https://github.com/rust-fuzz" target="_blank" title="https://github.com/rust-fuzz">https://github.com/rust-fuzz</a> is dedicated to fuzzing projects implemented in Rust. While my own personal interest is in specifically fuzzing the <code>rustc</code> compiler</p>
</blockquote>
<p>Same here. The rust compiler and some runtime. Tokio is very high on my priorities...</p>



<a name="182110140"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110140" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110140">(Nov 28 2019 at 13:53)</a>:</h4>
<p>My personal preference: </p>
<p>I would go for fuzzing as it gives higher coverage. Well setup, we should be able perform property testing through fuzzing as well, I don't really see why we wouldn't be able to do that. </p>
<p>With regards to targets, I would say </p>
<p>rustc<br>
std, for example async-std <br>
runtimes like Tokio</p>



<a name="182110147"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110147" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110147">(Nov 28 2019 at 13:53)</a>:</h4>
<p>(I probably won't be able to chat live at this point because I have to prep for the compiler meeting and then I have to go home and take care of my kids for the evening)</p>



<a name="182110223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110223">(Nov 28 2019 at 13:54)</a>:</h4>
<p>I'm pretty ignorant of APIs for libfuzzer and AFL, but I can review them.</p>



<a name="182110253"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110253" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110253">(Nov 28 2019 at 13:55)</a>:</h4>
<p>there is an AFL crate in rust-fuzz: <a href="https://github.com/rust-fuzz/afl.rs" target="_blank" title="https://github.com/rust-fuzz/afl.rs">https://github.com/rust-fuzz/afl.rs</a></p>



<a name="182110291"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110291" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110291">(Nov 28 2019 at 13:55)</a>:</h4>
<p>but I don't know if that's a wrapper around <a href="http://lcamtuf.coredump.cx/afl/" target="_blank" title="http://lcamtuf.coredump.cx/afl/">http://lcamtuf.coredump.cx/afl/</a>, or if it is something else</p>



<a name="182110339"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110339" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110339">(Nov 28 2019 at 13:56)</a>:</h4>
<blockquote>
<p>I'm pretty ignorant of APIs for libfuzzer and AFL, but I can review them.</p>
</blockquote>
<p>Happy to answer questions as I can learn that way. My background on the lower layers is reverse engineering, exploit development, some embedded programming. So I have no experience in compiler development but really eager to understand your thought process.</p>
<p>If it saves you time, write the questions and I'll provide answers <span aria-label="slight smile" class="emoji emoji-1f642" role="img" title="slight smile">:slight_smile:</span></p>



<a name="182110416"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110416" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110416">(Nov 28 2019 at 13:57)</a>:</h4>
<p>I understand what it means to fuzz rustc, in terms of observing the compiler's behavior on variations of legal source code.</p>



<a name="182110428"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110428" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110428">(Nov 28 2019 at 13:57)</a>:</h4>
<p>I'm not sure I understand what you mean by fuzzing std, though.</p>



<a name="182110487"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110487" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pnkfelix <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110487">(Nov 28 2019 at 13:58)</a>:</h4>
<p>is that just a matter of trying to identify new test inputs from existing tests for std ?</p>



<a name="182110596"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182110596" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182110596">(Nov 28 2019 at 13:59)</a>:</h4>
<blockquote>
<p>is that just a matter of trying to identify new test inputs from existing tests for std ?</p>
</blockquote>
<p>Using a fuzzing testing approach to test some std-libraries, ideally the IO-related ones. For example tokio, fuzzing http-request/response methods to identify edge cases.</p>



<a name="182112445"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182112445" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> pachi <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182112445">(Nov 28 2019 at 14:22)</a>:</h4>
<p>I suppose you're already aware of it, but <span class="user-mention" data-user-id="127617">@Shnatsel</span> did explore fuzzying in rust, and has written some docs about the experience. I'm pinging them just in case, and this is an interesting link with some of their findings <a href="https://medium.com/@shnatsel/how-ive-found-vulnerability-in-a-popular-rust-crate-and-you-can-too-3db081a67fb" target="_blank" title="https://medium.com/@shnatsel/how-ive-found-vulnerability-in-a-popular-rust-crate-and-you-can-too-3db081a67fb">https://medium.com/@shnatsel/how-ive-found-vulnerability-in-a-popular-rust-crate-and-you-can-too-3db081a67fb</a></p>



<a name="182117282"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182117282" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182117282">(Nov 28 2019 at 15:28)</a>:</h4>
<blockquote>
<p>I suppose you're already aware of it, but <span class="user-mention silent" data-user-id="127617">Shnatsel</span> did explore fuzzying in rust, and has written some docs about the experience. I'm pinging them just in case, and this is an interesting link with some of their findings <a href="https://medium.com/@shnatsel/how-ive-found-vulnerability-in-a-popular-rust-crate-and-you-can-too-3db081a67fb" target="_blank" title="https://medium.com/@shnatsel/how-ive-found-vulnerability-in-a-popular-rust-crate-and-you-can-too-3db081a67fb">https://medium.com/@shnatsel/how-ive-found-vulnerability-in-a-popular-rust-crate-and-you-can-too-3db081a67fb</a></p>
</blockquote>
<p>I did read that post a while ago I believe. Also read a couple of other fuzzing attempts, one in particular at the compiler that found 8 issues. I posted it somewhere here before. </p>
<p>Perhaps useful to make a list of past approaches for reference and put it on gist. I'm out now but will sort when back <span aria-label="slight smile" class="emoji emoji-1f642" role="img" title="slight smile">:slight_smile:</span></p>



<a name="182129842"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182129842" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182129842">(Nov 28 2019 at 18:55)</a>:</h4>
<blockquote>
<p>also, it seems this group has a dedicated irc channel (<code>#rust-fuzz</code> on <a href="http://irc.mozilla.org" target="_blank" title="http://irc.mozilla.org">irc.mozilla.org</a>). I wonder if they can be convinced to come to zulip as well.</p>
</blockquote>
<p>Shouldn’t be too hard, you’ve already convinced at least 1 person there. <span class="user-mention" data-user-id="132040">@Manish Goregaokar</span> is also here.</p>



<a name="182129858"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182129858" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Manish Goregaokar <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182129858">(Nov 28 2019 at 18:55)</a>:</h4>
<p>I don't really actively monitor zulip though</p>



<a name="182129865"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182129865" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182129865">(Nov 28 2019 at 18:55)</a>:</h4>
<blockquote>
<p>now, to be fair, I think the stuff in <a href="https://github.com/rust-fuzz" target="_blank" title="https://github.com/rust-fuzz">https://github.com/rust-fuzz</a> is dedicated to fuzzing projects implemented in Rust. While my own personal interest is in specifically fuzzing the <code>rustc</code> compiler</p>
</blockquote>
<p>My undergrad was about that specifically. Fuzzing a compiler with traditional tools is… not that feasible.</p>



<a name="182139914"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182139914" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182139914">(Nov 28 2019 at 22:49)</a>:</h4>
<blockquote>
<blockquote>
<p>now, to be fair, I think the stuff in <a href="https://github.com/rust-fuzz" target="_blank" title="https://github.com/rust-fuzz">https://github.com/rust-fuzz</a> is dedicated to fuzzing projects implemented in Rust. While my own personal interest is in specifically fuzzing the <code>rustc</code> compiler</p>
</blockquote>
<p>My undergrad was about that specifically. Fuzzing a compiler with traditional tools is… not that feasible.</p>
</blockquote>
<p>Please elaborate <span aria-label="slight smile" class="emoji emoji-1f642" role="img" title="slight smile">:slight_smile:</span></p>



<a name="182140663"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182140663" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182140663">(Nov 28 2019 at 23:13)</a>:</h4>
<p>The state becomes very large very quickly. You want to fuzz separate components, but in compiler code later phases/stages etc often have many presumptions based on what the previous stages do and filter out.</p>



<a name="182140710"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182140710" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182140710">(Nov 28 2019 at 23:14)</a>:</h4>
<p>Those are two major problems. If you had infinite memory, fuzzing whole compiler with traditional branch-tracking tools wouldn’t be a problem. Alas.</p>



<a name="182143584"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182143584" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182143584">(Nov 29 2019 at 00:46)</a>:</h4>
<blockquote>
<p>Those are two major problems. If you had infinite memory, fuzzing whole compiler with traditional branch-tracking tools wouldn’t be a problem. Alas.</p>
</blockquote>
<p>I do not disagree with this. I do have some ideas for mitigation, will write after I trial and error.</p>



<a name="182143606"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182143606" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182143606">(Nov 29 2019 at 00:47)</a>:</h4>
<p>Ah, I had a look, and Google's OSS-Fuzz docs even mention what I had in my head: <br>
<a href="https://github.com/google/oss-fuzz/blob/master/docs/faq.md#can-i-launch-an-additional-process-eg-a-daemon-from-my-fuzz-target" target="_blank" title="https://github.com/google/oss-fuzz/blob/master/docs/faq.md#can-i-launch-an-additional-process-eg-a-daemon-from-my-fuzz-target">https://github.com/google/oss-fuzz/blob/master/docs/faq.md#can-i-launch-an-additional-process-eg-a-daemon-from-my-fuzz-target</a></p>
<p>i.e, dump fuzzing is efficient, on very limited scopes. Have many fuzz targets instead.</p>



<a name="182145129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182145129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182145129">(Nov 29 2019 at 01:36)</a>:</h4>
<p>Yeah hence: fuzz separate components. but that is a non trivial problem too. Could adapt the compiler code, of course, but that’s also non-trivial problem.</p>



<a name="182195854"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182195854" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182195854">(Nov 29 2019 at 18:13)</a>:</h4>
<p>Leaving this here for now for reference. Please ignore it. <a href="https://github.com/SiavoshZarrasvand/Awesome-Fuzzing/blob/master/awesome-fuzzing.md" target="_blank" title="https://github.com/SiavoshZarrasvand/Awesome-Fuzzing/blob/master/awesome-fuzzing.md">https://github.com/SiavoshZarrasvand/Awesome-Fuzzing/blob/master/awesome-fuzzing.md</a></p>



<a name="182374151"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182374151" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182374151">(Dec 02 2019 at 18:26)</a>:</h4>
<p>When building rustc from source, is it good to set </p>
<p><code># Build a multi-threaded rustc
parallel-compiler = true</code></p>
<p>?</p>



<a name="182374461"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182374461" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Siavosh Zarrasvand <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182374461">(Dec 02 2019 at 18:29)</a>:</h4>
<p>Also, is there a way to alternate between different settings when compiling and fuzzing the targets? For example to have one rustc  target compiled with <code>jemalloc</code> and one without.</p>



<a name="182377218"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182377218" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182377218">(Dec 02 2019 at 18:56)</a>:</h4>
<p>generally speaking, for now, probably no -- we don't ship a parallel compiler by default for now</p>



<a name="182377247"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/131828-t-compiler/topic/leveraging%20oss-fuzz%20%2339916/near/182377247" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/131828-t-compiler/topic/leveraging.20oss-fuzz.20.2339916.html#182377247">(Dec 02 2019 at 18:57)</a>:</h4>
<p>You can alternate between them probably most easily by just having separate checkouts, though that's pretty expensive on disk space</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>